Hello everyone,
We all know and love method-permission declarative security in
deployment descriptor. For example: In MortgageApplication's DD,
we can say only BranchManager Role can execute approveMortgage method.
But if this is a large bank, quite often bank policy forbides manager
of Branch 1 to approve application lodged at Branch 2, A manager
can only approve application lodged in his/her branch.
I have seen this type of rules in many large enterprise systems.
The effect is that most rules cannot be fully enforced with
method-permission, they need to be further qualified with
programs. This does not go down well with J2EE/EJB's recommendation.
I end up writing proprietory framework to manage them. In doing so,
I found EJBContext.isCallerInRole() is bit too low level.
Since this is such a common occurence, I am sure lots of other people
have delt with it too. So I wonder any common solution has been
found particular successful. Any thoughts given to these area in
future evolution of EJB/J2EE.
cheers
chuck
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
